As an increasing number and variety of devices are inter-connected via open or distributed networks, any information exchanged between the devices becomes potentially accessible to any one for any purpose. Certain type of information, in particular personal data of device users, subscribers or contributors require a specific protection through an efficient access control.
The usual solutions for protecting sensitive personal data are based on encryption at their transmission from a source device to a centralized storing device which nevertheless may be accessible to any third parties even to not concerned persons.
Document US2005/0216313A1, discloses an electronic medical record keeping system including a central data collection and data storage server linked via a network to different health data input sources. Each source provides controlled unidirectional input data via a first encryption key code for individual patients thereby enabling assimilation of data in the central server uniquely for each patient segregated from all other patient data. The sources further include a second encryption key code for the patient correlated with the first key code to enable initiation of a set of tool bar screens at a terminal accessed by the patient or doctor if authorized and bidirectional network connection to the unique patient data stored in the remote server.
Document WO2003/049000A1 discloses a method allowing users to store portions of their identity information with one or more identity providers. Identity information includes attributes such as the user's name, mailing address, e-mail, telephone number, and credit card number. An identity provider is an entity that creates, manages, and stores identity information for a plurality of users. A service provider is an entity that provides a service to a user and makes use of the aspects of the user's identity it has been authorized to access. A user can authenticate with an identity provider using, for example, a password-based credential or any other authentication mechanism. Service providers can then rely upon that authentication to provide access to authorized resources without requiring additional authentication. In some embodiments, however, additional authentication is performed because of the quality of the credential the user initially used to sign into the identity provider. Sensitive data have thus enhanced protection thanks to encryption and are accessible only to users having the necessary credential.
In this system user data are stored in several distributed databases having specific access controls requiring authentication either with an identity provider or a stronger authentication with signature.
Document U.S. Pat. No. 7,949,6191B1 discloses a method for managing customer data. This method includes assigning one or more roles with entities desiring access to customer data, the entities including at least one application. The method provides for determining a category associated with at least some of the customer data, determining an access level for each role based on the category associated with the at least some of the customer data, and restricting access by the application to a system maintaining the customer data based on whether the application is authorized to access the system.
In this document the mechanism of access levels to the customer data are defined as categories based on rules. The customer data are protected in a same way by an access control to a centralized database where all the customer data are stored. If a third party attempts to circumvent the rules, all data which is controlled by the rules in question may become accessible at a same time.
Document “Access Control: Principles and Practice”, Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine discloses an access control coupled with an authentication of a user with a reference monitor linked with an authorization database. Objects are protected with access rights such as read only, read/write so that each user has its own access rights depending on the class of the object. An access matrix is thus defined with rights attributed to each user for accessing different files and accounts.
Document EP1320012A2 discloses a system and method for providing distributed access control. A number of local servers are employed to operate largely on behalf of a central server responsible for centralized access control management. Such a distributed fashion ensures the dependability, reliability and scalability of the access control management undertaking by the central server. According an embodiment, a distributed access control system that restricts access to secured items can include at least a central server having a server module that provides overall access control, and a plurality of local servers. Each local server can include a local module providing local access control. The access control, performed by the central server or the local servers, operates to permit or deny access requests to the secured items by requestors.
According to a further embodiment, a secured document includes a header and encrypted data portion. The header includes encrypted security information to control the access to the encrypted data portion. A user key associated with an authenticated user must be retrieved in order to decrypt the encrypted security information.
According to a further embodiment, a secured file or secured document includes two parts: an attachment, referred to as a header, and an encrypted document or data portion. The header includes security information that points to or includes the access rules and a file key. The access rules facilitate restrictive access to the secured document and essentially determine who/when/how/where the secured document can be accessed. The file key is used to encrypt/decrypt the encrypted data portion.
The method of EP1320012A2 appears thus to be rather complex with at least two levels of encryption: encryption of the security information in a header portion and encryption of the data portion with a key defined by the security information. Access rules are also used after decryption of the header.